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1 )KI Responsive to communication(s) filed on 28 September 201 0 . 
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3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 
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8) D Claim(s) are subject to restriction and/or election requirement. 
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DETAILED ACTION 

Continued Examination Under 37 CFR 1.114 

1 . A request for continued examination under 37 CFR 1.114, including the fee set 
forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1 .17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 
09/20/2010 has been entered. 

2. Claims 1-4, 7, 13 and 16 have been amended; claims 5-6, 8-12, 14-15 and 19-20 
have been cancelled. Claims 1-4, 7, 13 and 16-18 remain pending. 

Response to Arguments 

3. Acknowledgment to applicant's amendment to the specification has been noted. 
The specification has been reviewed, entered and found obviating to previously raised 
objection for minor informality. 

4. Applicant's cancellation to claims 14, 15 and 20 renders claim rejection to claims 
14, 15 and 20 under 35 U.S.C 101 moot. Rejection to claims 14, 15 and 20 under 35 
U.S.C 101 is hereby withdrawn. 

5. Applicant's amendment to the specification on 09/20/201 0 obviates previously 
raised rejection to claims 4 and 16 under 35 U.S.C 101. Rejection under 35 U.S.C 101 
is hereby withdrawn. 



Application/Control Number: 10/769,038 Page 3 

Art Unit: 2432 

6. Applicant's arguments with respect to claims 1 -4, 7, 1 3 and 1 6-1 8 have been 
considered but are not persuasive in view of the new ground(s) of rejection necessitated 
by the amendment to the claims 

Claim Rejections - 35 USC § 103 

7. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

8. Claims 1-4, 7, 13 and 16-18 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over White et al. ("Anatomy of a Commercial-Grade Immune System", 
http://citeseer.ist.psu.edu/white99anatomy.html, 1999), hereafter "White" in view of 
Schultz et al. (US 2003/0065926) referred to hereinafter by Schultz in further in view of 
Muttik et al. (US 2004/0199827) to hereinafter by Muttik. 

9. Regarding claim 1 , White discloses a malware detection system and means for 
determining whether a code module is malware according to the code module's 
exhibited behaviors (Fig. 3, page 14), the system comprising a memory storing the 
following computer executable components: 

at least one dynamic behavior evaluation module (Fig. 6, page 20, Analysis 
Center reads on dynamic behavior evaluation module), wherein each dynamic 
behavior evaluation module provides a virtual environment for executing a code 
module of a particular type (Section "Creation of the replication environment", Page 
20: paragraph 1 : lines 1-5), and wherein each dynamic behavior evaluation module 
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records execution behaviors of the code module makes as it is executed, wherein a 
behaviors of the code module are recorded into a behavior signature corresponding 
to the code module: (Fig. 6, page 20: item "archive" and Section "Analysis", page 21: 
paragraph 1 : lines 5-6, extract good signature and stores in the archive for 
developing virus definition reads on each dynamic behavior evaluation module 
records some behaviors which may be exhibited by the code module as it is 
executed into a behavior signature); 

a management module, wherein the management module obtains the code 
module, and wherein the management module evaluates the code module to 
determine the code module's type (page 23 under "Scaling the analysis center" 1 st 
paragraph and page 25 under "Macro Viruses: 1 st paragraph) , and wherein the 
management module selects a dynamic behavior evaluation module to execute the 
code module according to the code module's type (Fig. 6: page 20: item "workflow 
supervisor" and Section "Macro Viruses": page 25: paragraph 1 : lines 5-7, 
supervisor accept suspected virus sample and feed into different virtual environment 
for each format and language of Macro Virus reads on a management module for 
obtaining the code module and selecting a dynamic behavior evaluation module to 
execute the code module according to the code module's type); 

a malware behavior signature store storing at least one known malware behavior 
signature of a known malware (Fig. 3: item archive, Page 20, and Section "The 
Supervisor" pages 18 and 19, paragraph 3: lines 1-2 and Section "Definition 
generation", Page 21: paragraph 1: lines 1-10, archive and virus definition file reads 
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on malware behavior signature store storing at least one known malware behavior 
signature); 

a behavior signature comparison module that obtains the behavior signature of 
the code module and compares the behavior signature of the code module to the 
known malware behavior signatures in the malware behavior signature store to 
determine whether the behaviors recorded in the behavior signature of the code 
module match behaviors recorded in a behavior signature of a known malware 
(Section "An active network to Handle Epidemics and Floods - Over view", pages 
1 3-1 5: paragraph 5: lines 1 -2, gateway scans the sample file against the latest virus 
definition reads on a behavior signature comparison module that obtains the 
behavior signature and compares the behavior signature to the known malware 
behavior signatures in the malware behavior signature store to determine whether 
the exhibited behaviors of the code module match the exhibited behaviors of known 
malware and page 18 2nd paragraph and page 20 first paragraph); 

Even though White teaches that the malware detection system is configured to 
report whether the code module is malware or not (Section "An active network to 
Handle Epidemics and Floods - Overview", pages 13-15), White does not explicitly 
teaches that the malware detection system is configured to report whether the code 
module is malware based at least in part of the degree that the behaviors recorded 
in the behavior signature of the code module match behaviors recorded in a 
behavior signature of the known malware. 
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Schultz teaches that the malware detection system is configured to report 
whether the code module (executable) is malware based at least in part of the 
degree (probability or likelihood) that the code module's exhibited execution 
behaviors match the exhibited behaviors of a known malware [abstract last 8 lines 
and paragraph 0022]. 

At the time of the invention was made, it would have been obvious to an ordinary 
skill in the art to combine Schultz's teachings in White's system. The 
motivation/suggestion would have been to make the system for reliable and secure 
by detecting malicious executables [Schultz, paragraph 0005]. 

The combined teachings of White and Schultz do not explicitly teach that the 
execution behaviors are interesting API function calls wherein the interesting API 
function calls are specified by a user and comprise a portion of all API function calls 
that the code module makes, wherein only the interesting API function calls, but not 
all the API function calls, that the code module makes during execution in the 
dynamic behavior evaluation module are recorded. Muttik teaches that the execution 
behaviors are interesting API function calls wherein the interesting API function calls 
are specified by a user and comprise a portion of all API function calls that the code 
module makes, wherein only the interesting API function calls, but not all the API 
function calls, that the code module makes during execution in the dynamic behavior 
evaluation module are recorded [paragraphs 0037, 0038, 0040 and 0041]. 
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At the time of the invention was made, it would have been obvious to an ordinary 
skill in the art to modify the combined method of White and Schultz with Muttik's 
teachings. The motivation/suggestion would have been to be able to identify the 
source code of the malware [Muttik, abstract]. 

1 0. The system of claim 2, the method of claim 3 and the computer-readable medium 
of claim 4 have the same limitations as claim 1 and hence same rejection rational is 
applied. 

1 1 . For claim 7 and similar claims 10,13 and 16, White discloses wherein the 
predefined set of execution behaviors to record corresponds to a set of system calls 
(page 20, paragraph 1 "classification". 

12. For claim 1 7 and similar claim 1 8, White discloses wherein the malware detection 
system is further configured to report a positive identification of a known malware 
(Section "An active network to Handle Epidemics and Floods - Over view", pages 13- 
15: paragraph 5: lines 1-2, gateway scans the sample file against the latest virus 
definition reads on a behavior signature comparison module that obtains the behavior 
signature and compares the behavior signature to the known malware behavior 
signatures in the malware behavior signature store to determine whether the exhibited 
behaviors of the code module match the exhibited behaviors of known malware). 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to HADI ARMOUCHE whose telephone number is 
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(571)270-3618. The examiner can normally be reached on M-Th 7:30-5:00 and Fridays 
half day. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on (571) 272-3799. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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Examiner, Art Unit 2432 

/Benjamin E Lanier/ 

Primary Examiner, Art Unit 2432 



